0

I want to set communication over TLS1.2 in C# in java we do it by setting this property "ssl.enabled.protocols" looking for same functionality in c#

I'm using .Net core 3.1 and OS is linux package : confluent.Kafka version 1.7.0

Panagiotis Kanavos
  • 120,703
  • 13
  • 188
  • 236
nikhil jain
  • 23
  • 3
  • 1
    **Comments have been [moved to chat](https://chat.stackoverflow.com/rooms/251597/discussion-on-question-by-nikhil-jain-how-do-you-enable-tls-1-2-on-c-for-kafka); please do not continue the discussion here.** Before posting a comment below this one, please review the [purposes of comments](/help/privileges/comment). Comments that do not request clarification or suggest improvements usually belong as an [answer](/help/how-to-answer), on [meta], or in [chat]. Comments continuing discussion may be removed. – Machavity Feb 03 '23 at 15:03

2 Answers2

0

Put this somewhere at or near the very beginning of execution:

 System.Net.ServicePointManager.SecurityProtocol =
        SecurityProtocolType.Tls12             
            //  Only if you need them -
            //  | SecurityProtocolType.Tls13
            //  | SecurityProtocolType.Tls11 
            //  | SecurityProtocolType.Tls
        ;

Contrary to the misinformation in some of the comments above and below, it is not always guaranteed that TLS 1.2 will be on in every environment that it's available. Of course this is more of an issue for older OS's and .NET versions, but that doesn't mean TLS 1.2 can't be used - it just means you have to set it up explicitly.

Many sources will tell you this has to be done in the Windows registry in older environments, but you can also enable it through the code above.

See also this thread for additional detail.

Edit - After the OP's clarifying comment, I changed the |= to '=' because they actually want to DISABLE any TLS version besides 1.2.

Emperor Eto
  • 2,456
  • 2
  • 18
  • 32
  • That doesn't enable TLS 1.2, it *disables* TLS 1.3 or better – Panagiotis Kanavos Feb 03 '23 at 13:50
  • Then you can include `| SecurityProtocolType.Tls13` if you need it. – Emperor Eto Feb 03 '23 at 13:52
  • 1
    Why? .NET Framework 4.6.2, the oldest supported version, automatically picks the best version by default. If you have to write such code you're running an End-Of-Life version, probably on an unsupported OS too. [.NET Framework 4.6.1](https://devblogs.microsoft.com/dotnet/net-framework-4-5-2-4-6-4-6-1-will-reach-end-of-support-on-april-26-2022/) reached End-of-Life almost a year ago, in April 2022 – Panagiotis Kanavos Feb 03 '23 at 13:55
  • 1
    And if you're on a supported OS, you probably run 4.7 if not later already. .NET 4.x runtimes are binary replacements. [Windows 10 and later](https://learn.microsoft.com/en-us/dotnet/framework/migration-guide/versions-and-dependencies) have at least .NET 4.7, and Windows Update may well have upgraded the runtime on older OSs – Panagiotis Kanavos Feb 03 '23 at 13:57
  • 1
    That thread you reference doesn't say what you assume. The hard-coded answers were only valid 6 years ago, when 4.7 wasn't yet available. And the answers on 4.7 and later do say the best option is used. I actually answered quite a few of them because I work in an industry that did require TLS 1.2 since 2016, and I did have to handle migrations and patching. If you want to disable older ciphers, the best place to do so is the OS, not hard-coding ciphers – Panagiotis Kanavos Feb 03 '23 at 14:08
  • @PanagiotisKanavos and so already you concede that it's more complicated than "it's always the case" that it's on if it's available. And you have failed to identify the harm in adding a single line of code to guarantee something so important. Someone with a six figure rep should be even more careful about making statements like that, because they will hold a lot of weight in peoples' eyes. – Emperor Eto Feb 03 '23 at 14:12
  • No I don't, I'm saying yo misunderstood what that link says, or how things have changed in the past 7 years, or how regulations mean you can't really keep using insecure practices – Panagiotis Kanavos Feb 03 '23 at 14:21
  • No one disputes that, if everyone is keeping everything up to date according to best security practices, then there's no need to do this. There are a lot of things you don't need to do when everyone else is doing everything perfectly. Unfortunately in the real world of computing, most of which is subject to little if any regulation, that is rarely the case. People earning a living in that world need to know how to secure their application as best they can notwithstanding others' not following best practices. – Emperor Eto Feb 03 '23 at 19:38
0

If you are using some web client or smtp email sender you can add this line before request

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
machan
  • 93
  • 1
  • 9
  • This disables the use of TLS 1.3 or better, it doesn't enable TLS 1.2 – Panagiotis Kanavos Feb 03 '23 at 13:51
  • 1
    There are still lots of applications running in older versions of dot net and also some developers need to use this kind of code because some smtp clients specifically needs TLS version other than latest. So it disables TLS 1.3 it means it enables TLS 1.2 – machan Feb 03 '23 at 14:04
  • [Even .NET Framework 4.6.1 reached End Of Life](https://devblogs.microsoft.com/dotnet/net-framework-4-5-2-4-6-4-6-1-will-reach-end-of-support-on-april-26-2022/) last year. All supported versions use the OS's best cipher automatically. `it means it enables TLS 1.2` no it doesn't because it's already on. – Panagiotis Kanavos Feb 03 '23 at 14:15
  • Check this link. According to this to get the default OS choice, if possible, don't set a value for the ServicePointManager.SecurityProtocol property https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls#if-your-app-targets-net-framework-47-or-later-versions – machan Feb 03 '23 at 14:24